Once you have a shell with low privileges on a box, how do you get admin/system/root privileges?

I am looking for some advice on privilege escalation techniques on both Windows and Linux. I know it depends on a lot of factor, like remote or local, type of os, service packs, etc. But I am looking more at how to find the solution.

Also, I know that if you use the Metasploit framework, Core Impact, etc, it gets pretty easy. But I want to do it manually.

I know on Windows, we could use the at command. But what if it doesn't work?

Anyway, I have been on google for a while now and I find it difficult to find good explanations, examples, tutorials or "how to".

The only solution that I know right now is to go on milw0rm, exploit-db.com, etc, find an exploit, compile it and use it. Is there any other "tricks"?

There are many ways, H1tM0nk3y, and I'll let others answer, too. But often times, it's a matter of simply using the access you've already gained to find other exploitable services, etc, on the target, which you can then go after (such as services that, from the ourside, were filtered by firewall, but from local machine, are easily reachable.)

Other methods vary, from uploading and running existing exploit code, to starting up an exploitable service or program on the target, which then enables you to hook into system dll's, with escalated privileges, etc.

Edit: I'll try to post some relevant links later (time is NOT on my side, this morning,) unless sil or others beat me to it! :P

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

To add to hayabusa...there's always a good chance you'll find a misconfiguration or "human mistake" you can leverage, such as private keys carelessly stored, backup shadow files/SAM databases, etc., etc.

Its not the "sexiest" way to escalate your privilege, but usually its the easiest!

Once again, it goes back to recon and information gathering. See what you can find in terms of users, hashes, running services, file contents, etc. Is the machine running any network services? If so, can you capture traffic on it? Search for scripts and batch files. I've found credentials stored in those on numerous occasions. Why waste time trying to be l33t when they have the info sitting right there for you?

The most used technique on Linux is:- Look at the kernel version (uname -a) and try an exploit (from e.g. exploit-db) matching that version.

You could also try:- Read the /etc/passwd (readable, useful to find accounts to bruteforce into) and /etc/shadow (shouldn't be readable, but you never know.)- Exploit a vulnerable (perhaps local) service running directly as root.- Bruteforce the root login (su or sudo)- Try "sudo", your current user may already have sudo privileges! (You may be able to read /etc/sudoers in rare cases.)- Look for "personal files" that may contain hints to what the password might be. (Some people write their passwords in text files on their computer.)

On Windows, there's a few modules in Metasploit that I know of which has been implemented.

I know that the VNC Injection usually drops a command prompt running as "system" too.

The Meterpreter payload is able to migrate into other processes, and migrating into a process running with higher privileges is also and usually possible where you're usually able to gain higher privileges this way too.

However on boxes with Vista, XP, 7, etc. you're usually already Admin or local Admin. If you're not, try "Pass the Hash" to gain access to other computers or devices on the network which may be a part of an AD (a domain), look for "files" or clues on these boxes too.

Well, that's mostly what you can and should do ;D There is of course, probably a lot more techniques.

Oh yeah, +1 to ziggy_567 and dynamik, "backups" of passwords etc. is good to look for as well, along with the default admin / admin and admin / password credentials.

Don't forget MitM attacks too if you're in a live and real network! I used that method to grab all the passwords for the mail clients in a real (IRL) scenario, however be _sure_ that you don't do any mistakes so the clients on the network won't loose their Internet or network connections.

Last edited by MaXe on Fri Aug 20, 2010 9:44 am, edited 1 time in total.

You'd be suprised at JUST how much data you can get, and how frequently users re-use passwords among disparate systems. I had a guy on a pentest recently, whose passwords for his personal accounts matched his work accounts. So I sniffed his machine (the one I had low privileges on to begin with) traffic, and grabbed his login to his personal email. Lo and behold, same creds worked internally, and I went a whole lot further. It's all about search and discovery, and taking one's time in the process, so as not to stumble and be spotted in the process.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Alright, so things have slowed down for me enough to post a long rambling (rough week had interop testing, presentations, etc). Let's take a 50K foot view and review with what I'll call "I haz shell now what?!"

What steps did you go through to get a shell account. For those reading this, it will be a part intro, part explanation and so on. Typically the penetration tester will go through phases to access a machine. These phases include a variation of the following:

ReconEnumeration of servicesEnumeration of accounts if possibleCollection of exploits against the services (where vulnerable)etc., etc

When you set out to test the security of this machine from a penetration tester's point of view, you at some point had to run some form of "mapping" software to determine what services were running on the machine in order to circumvent slash exploit one to work your way in. You've made your way in but have determined, it's not where you need to be. You need to escalate for one reason or another.

Sidetrack: In most cases, getting in is enough period (believe it or not) and anyone who tells you otherwise is off their rockers. Analogy time: Imagine coming home from dinner one day to find your apartment was burglarized. Nothing was stolen, but someone ransacked through all your belongings. Do you sit there and say: "So what! Nothing was taken, no harm no foul." Highly doubtful. There is the entire concept of someone going through your personal belongings. Not to mention the fact of insecurity you will feel. "Will they come back again", "will they clean me out next time" and so on.

Forwardtrack: So you've managed to get access... How did you get access again? Through a process. You now need to go through that same process using a different approach. The procedures are the same:

ReconEnumeration of servicesEnumeration of accounts if possibleCollection of exploits against the system you're on

I see there are mechanisms/programs in place to potentially see/monitor what is going on (snort, ossec, osiris, arpwatch, nagios). Better play it safe and keep things silent (non-noisy as snort will see it) man sleep Meaning, if I need to do something network related, I want to keep my intervals high to avoid tripping IPS/IDS alarms. If an interval command is not available, I'll use sleep for N amount of seconds, e.g.:

Now that I see a private address, let's see what is visible on the private side. Forget nmap since it may NOT be on the machine and there is no way in hell I'm setting off alarms. Hello good old faithful netcat, I need you as a scanner today. You come preinstalled on just about everything nowadays:

Strange, these weren't visible to me from the outside world when I ran nmap. Let me keep note, find a potential matching program and see if I can find any potential working exploits against these services....

I can go Google exploits against this later. Right now, just jotting down what's visible slash accessible to me. Get the picture? It pays to understand systems from a systems administrator perspective otherwise one will always ask the question: "I haz shell now what?" Hopefully this made sense to those who've been asking themselves that same question. The remainder is sort of elementary. Much similar to gathering data from the outside view, gather it now from the inside view. This could mean finding services, finding an account with better privileges (more /etc/group), finding any errors with file permissions. Finding any potential TOCTOU issues and so on.

It's good practice to build a "dossier" of the system your own instead of trying to hack it wildly. The time you spend doing so (hacking wildly) could lead to you being detected and or kicked/blocked off the system rendering your test moot (to a degree... After all you did get in). Practice, patience and understanding allow you to go far. I can't stress it enough, one needs to truly understand a system from even a junior admin level as it makes things easier and allows one to streamline processes to make things quicker, more effective and more stealthy sometimes.

For anyone with an OMFG on this in regards to gary7, take note, I replaced my system information with gary7. I wouldn't go fiddling with that machine if I were you. (No really I wouldn't)

So this won't work every time, but you need to rescan the box for vulnerable servies from the unprivileged shell. Especially for legacy services, you may note that a favorite vendor "fix" is to tell you to firewall the service so it can't be hit from outside. If you got on the machine, you are now on the trusted network... whack away!

On *nix don't forget to look at cron jobs, shell scripts, and setuid binaries that shouldn't be. If you have limited sudo, try things like ed, vi, cat, cp. All those can be used to repalce co figs and give you root.

Last, remember that you don't have to be root to get valuable information. If on a db server, I really want the db, mail server == mail...

former33t wrote:Last, remember that you don't have to be root to get valuable information. If on a db server, I really want the db, mail server == mail...

sil and former33t went further for you on where I was leading. End point is, exactly as former33t put it in the quote above... Ultimately, at the end of the day, the point is showing what you can get to, and as he said, if it's a mail server, and you can snarf all the mail, you've successfully achieved the goal. Now on to the next box, and the next, and the next. (Although, if you're wily enough to gain privileged shells, and enumerate usernames and passwords for OTHER machines on the same network, then you've made life all that much easier to continue.

Good luck!

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Of course proving you were able to steal valuable information is enough for a pentest. I guess I would only go further if I know I can get to even more sensible information by being root/admin/system, like having access to credit card numbers instead of "just" reading mail. As long as you can scare your clients, you know/hope they will fix their things.

But once you have a shell, you have access to a whole new world. And me, still beginner in the field, will see many moons before I feel confortable elevating privileges on a box... I will practice these techniques a lot in the lab.